SpyAxe, Spy Sheriff, Brave
Sentry, Spy Trooper, SpywareQuake
and other similar Malware
Removal Instructions and Help

How Did My
Computer Become Infected with SpyAxe, Spy Sheriff, Brave Sentry, etc?

If your computer has
become infected with one of these "spyware removal programs", then you
probably were infected by a Windows exploit discovered on December 26,
2005 called the WMF exploit or another exploit called the VML exploit
that was discovered in September 2006. These exploits affect Windows
XP/2000 and
Windows 2003 Server-based computers. Microsoft describes the WMF
exploit in
its security
bulletin this way:

A
remote code execution vulnerability exists in the Graphics Rendering
Engine because of the way that it handles Windows Metafile (WMF)
images. An attacker could exploit the vulnerability by constructing a
specially crafted WMF image that could potentially allow remote code
execution if a user visited a malicious Web site or opened a specially
crafted attachment in e-mail. An attacker who successfully exploited
this vulnerability could take complete control of an affected system.

This
exploit, and other similar unpatched problems, open the way for a
variety of trojans, viruses, spyware and other malware to attack the
system. Most of these attacks happen through a automatic download from
an infected webpage. Which means if you do not have the patch loaded
for this Windows Meta File (WMF) Exploit or for the Vector Markup Language (VML) Exploit, you could visit a particular
web page and become infected. Sunbelt Software,
makers of Counter Spy, compiled a list of various malicious web sites
where this exploit was being used. Some of these sites are listed below
(do not visit these sites or your computer will be
infected.)

Viruses
like Troj.Zlob.AN,
which was the main trojan spreading the SpyAxe problem, and other
viruses, trojans, and spyware then load into the comprised computers
after the initial problem. Unfortunately an exploit such as this has
created more than 100 different varieties of malware problems. Many
times the Task Manager will be disabled, the computer's date will be
changed, and the computer will slow down considerably after such an
infection. Also, the main home page may be pointed to sites like http://www.updateyoursystem.com/,
http://www.safetyuptodate.net or http://www.needupdate.com/
which pose as Online Security Centers telling visitors their computers
are infected with the W32.Sinnaka.A@mm
worm which is an actual worm, however this worm is not part of this
exploit, its just another smoke screen to scare visitors into buying a
spyware removal tool that most likely wont clean their system anyway. A
screenshot of one of these sites is below:

HijackThis will
show various problem files, a typical Hijackthis log
infected with this issue will look similar to this: You'll notice the
HOSTS file entries rerouting internet queries for banking, credit
cards, etc. to an oversees IP address.

What's
the Best Way to Remove SpyAxe, Spy Sheriff, Brave Security, Spy Trooper
and other problems?

Intentionally
infecting a test computer with Spy Sheriff, Brave Security and a couple
other variations of this problem, I have come up with a multiple step
approach to cleaning the system. Unfortunately, because this exploit
opens the doors for several different trojans, viruses, and spyware to
attack your computer, you'll need a few pieces of software to
effectively delete these problems.

Before attempting this removal
procedure, download the following removal tools to your desktop and
install them.

Killbox
- useful program to delete files that are "in use" by Windows
preventing normal deletion

Removal
Procedure

1) Download
the programs above to your desktop, extracting and install them. Then
update the signatures for Ewido Anti-Malware. Once this is
complete, reboot your
computer in Safe Mode

2) Open the
SmitRem folder and double-click on RunThis.bat to start the SmitRem
removal procedure. Besides removing particular files that it looks for,
the tool also runs the Disk Cleanup tool to remove temporary files on
the hard drive that may contain problem files. For a Tutorial on using SmitRem click
here

3) After
SmitRem has finished, open Ewido Anti-Malware and run a full system
scan deleting anything it finds.

4) While
still in Safe Mode, run CCleaner. Analyze and Clean files it finds,
then click on the Issues button on the left side of the screen and Scan
and Fix any Registry issues CCleaner discovers. Run both the Registry
Scanner and the File Analyzer until nothing else is found.

5) Search
for and manually delete the following directories and files if they
remain.

svchosts.dll

wbeconm.dll

webconm.dll

mssearchnet.exe

mscornet.exe

nvctrl.exe

spyaxe.exe

netwrap.dll

ntzl.exe

ioctrl.dll

intelli321.exe

hpA75B.tmp
or all the files similar to hpXXXX.tmp where X may be any character.

c:\windows\inet20004
or c:\windows\inetXXXXX directory (where X represents a random number)
and all files

C:\Program
Files\SpyAxe

C:\Program
Files\Spy Sheriff

C:\Program
Files\SpywareQuake.com

C:\Program
Files\BraveSentry

C:\Program
Files\AlfaCleaner

C:\Windows\System\1024

C:\Windows\System32\1024

C:\Winnt\System32\1024

6)
Run Hijackthis
and Remove any leftover issues. If you are not sure, if a line in
Hijackthis is a problem, reboot in normal mode and use the Online HiJackthis Scanner
to see if the file is a threat. Just copy and paste your Hijackthis log file
into the scanner and let it analyze it for you. Although its not
perfect, it will give you an idea if your system is clean or still
needs some work. Do not delete anything with Hijackthis unless you are
absolutely sure what the file is and what it does.

For
items in the Hijackthis log like the following, that will not delete
manually, use KillBox
to browse to the location of the file and delete it or delete it on
reboot. Items that are impossible to remove unless using Killbox
usually show up in the 20 section of Hijackthis.

8)
Fix your desktop wallpaper by going to Control Panel, double-click on
Display, on the Desktop tab, make sure the background wallpaper is
correct, then click on Customize Desktop and click on the Web tab. On
this tab is usually where active components such as web pages have
taken over your desktop. Delete any problems here and click OK twice to
leave the Display settings. Return to your desktop and check to make
sure its correct.

9)
Scan your computer with online virus scanner like Housecall,
BitDefender, or ETrust or download and install an antivirus program and
run a complete scan. A list of online scanners is below, some however
will only scan but not remove issues.

Congratulations!
Your computer should be free of the dreaded
SpyAxe, Spy Sheriff, WinHound, Brave Sentry, Spy Trooper, Alfa Cleaner, or other
similar bogus spyware removal tool and problems.However, now that
your computer is running better, patch this problem exploit before you
visit another webpage. Follow the instructions below to download the
patch for this exploit. If for some reason, you are still experiencing
problems or have files that you are not sure of, you can email me a Hijackthis log
and I'll see if I can help.